ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What are the security implications of establishing a Cross Forest Trust between 2 Active Directory forests?


Member

Posts: 16
Date: Jun 10, 2010
What are the security implications of establishing a Cross Forest Trust between 2 Active Directory forests?
Permalink  
 


Hi,

We recently had a situation where we were asked by management to basically setup a cross-forest trust between our forest and that of another company that ended merging with us.

While we were initially hesitant, overall it seemed more cost-efficient to just establish the trust than to (obviously) move all the accounts, computers, groups and resources into a new child domain.

That said, while we run a pretty tight security shop, I'm not convinced that the same could be said of the admins of the forest, and so we are now a little concerned.

Beyond the obvious, are there any specific implications as such that we should be concerned with, and/or any helpful recommendations you might have for us?

Appreciate your input...


Thanks,
Aaron



__________________


Newbie

Posts: 3
Date: Dec 16, 2010
What are the security implications of establishing a Cross Forest Trust between 2 Active Directory forests?
Permalink  
 


Hello,

There are some risks with the forest trust, but from a 'business' standpoint, setting up some form of trust(s) is almost always done - at least in the interim - during a merger/aquisition (M&A) activity.

The trust itself provides some level of risk itself but if it is deemed a business requirement for access to one anothers data/applications/sharepoint/etc, then you can minimize the risk to some degree by keeping admin-level group memberships in-check/monitored as well as making sure SID filtering is properly set/configured.

Cheers, Hilde



__________________


Member

Posts: 18
Date: Jun 15, 2011
RE: What are the security implications of establishing a Cross Forest Trust between 2 Active Directory forests?
Permalink  
 


Hi Aaron,

The scenario you are facing is actually quite common these days, especially given the business climate and the sheer number of mergers and acquisitions that the industry has seen over the last few years.

As for the security implications of a cross-forest trust, there are certainly 2 -3 important points that need to be kept in mind -

First, the definition of Authenticated Users changes, and now includes all the users in the trusted forest as well. That has access ramifications on any IT resource (whether stored in AD or on any domain-joined machine) that allows any type of access to Authenticated Users.  For example, AD grants Authenticated Users blanker read access to all content.

Secondly and on a related note, the definition of Everyone changes as well to include all users and computers from the trusted forest.

Third, as far as I know, I BELIEVE that should SID filtering across the trust be disabled, AD admins from the trusted forest could with sufficient skill and effort, elevate their privilege to that of an AD admin in the trusting forest.

I am sure that there are other implications as well, but  there are the three main ones that come to mind.  I am sure that other members on this forum can add to this.

The most important indirect implication is that any user from the trusted forest can now analyze all the security permissions in the trusting forest, and because there invariably exist some excessively granted permissions in every AD, he/she could misuse this information to try and elevate their privilege in the trusting forest. (This has nothing to do with SID filtering, but rather has to do with finding and exploiting weaknesses in permissions in AD.)

I hope this helps. Good luck to you.

Nathan.



__________________
Today is the tomorrow we worried about yesterday


Member

Posts: 16
Date: Jun 18, 2011
RE: What are the security implications of establishing a Cross Forest Trust between 2 Active Directory forests?
Permalink  
 


Hi Nathan,

Thanks for sharing - your insights are certainly helpful and appreciated.

You bring up two key points that we certainly want to look into, i.e. SID Filtering on trusts, and enumerating permissions in all Active Directory domains of the trusting forest.

If you don't mind my asking, I had two follow up questions for you -

1. Do you happen to know of a quick way to enumerate all trusts on which SID filtering might be disabled. Its a pain to manually view all trusts in the MMC every time we need to assess this.

2. Also, do you happen to know of an efficient way to find out where all a user/group might have permissions in our Active Directory? We would certainly like to perform an audit of permissions to see what someone from the trusted forest might be able to see as well.

Thanks again, and appreciate your input.

Aaron.



__________________


Member

Posts: 18
Date: Feb 5, 2013
What are the security implications of establishing a Cross Forest Trust between 2 Active Directory forests?
Permalink  
 


Hi Aaron,

Sure, I'd recommend netdom to help enumerate all trusts on which SID filtering is disabled, and this Active Directory Permissions Analyzer to enumerate who has what permissions in Active Directory.

Good luck.

- Nate 

 



__________________
Today is the tomorrow we worried about yesterday
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me